Blocking Queries

When necessary, LogScale can be configured to prevent queries from executing. There are many scenarios in which one might consider blocking a query or a pattern that matches many queries. For instance, a query pattern may use a large portion of the system's resources. Or a particular query is known to be used for malicious purposes (e.g., searching for secure secrets). Or it may be that a log line contains information that should never want searched.

Blocks can be added by defining the following conditions:

  • Based on a regular expression using the standard LogScale regular expression mechanics

  • Based on an exact matching query, explicitly matching the defined string.

  • Either against a specific Repository or all repositories.

Query Administration Blocklist

Figure 14. Query Administration Blocklist

The list of currently blocked queries is shown in the Blocklist page and includes the following information:

  • Pattern

    The string or regular expression of the query that is blocked.

  • Type

    Whether the block is based on an Exact Match or Regular Expression.

  • Expires

    When the block expires.

  • View/Repo

    The view or repository to which the block applies.